Merge V8 at 3.9.24.24
Bug: 5688872
Change-Id: I2193f3dbd0d9137530174f65060d857b432a6abb
diff --git a/V8_MERGE_REVISION b/V8_MERGE_REVISION
index a80c7d8..6787b73 100644
--- a/V8_MERGE_REVISION
+++ b/V8_MERGE_REVISION
@@ -1,2 +1,2 @@
-V8 3.9.24.21
-http://v8.googlecode.com/svn/branches/3.9@11511
+V8 3.9.24.24
+http://v8.googlecode.com/svn/branches/3.9@11575
diff --git a/src/arm/ic-arm.cc b/src/arm/ic-arm.cc
index e843657..c88c257 100644
--- a/src/arm/ic-arm.cc
+++ b/src/arm/ic-arm.cc
@@ -774,7 +774,7 @@
__ b(lt, slow_case);
// Check that the key is a positive smi.
- __ tst(key, Operand(0x8000001));
+ __ tst(key, Operand(0x80000001));
__ b(ne, slow_case);
// Load the elements into scratch1 and check its map.
diff --git a/src/ia32/ic-ia32.cc b/src/ia32/ic-ia32.cc
index 33f247a..eac2739 100644
--- a/src/ia32/ic-ia32.cc
+++ b/src/ia32/ic-ia32.cc
@@ -383,7 +383,7 @@
__ j(below, slow_case);
// Check that the key is a positive smi.
- __ test(key, Immediate(0x8000001));
+ __ test(key, Immediate(0x80000001));
__ j(not_zero, slow_case);
// Load the elements into scratch1 and check its map.
@@ -396,7 +396,7 @@
__ mov(scratch2, FieldOperand(scratch1, FixedArray::kLengthOffset));
__ sub(scratch2, Immediate(Smi::FromInt(2)));
__ cmp(key, scratch2);
- __ j(greater_equal, unmapped_case);
+ __ j(above_equal, unmapped_case);
// Load element index and check whether it is the hole.
const int kHeaderSize = FixedArray::kHeaderSize + 2 * kPointerSize;
diff --git a/src/mips/code-stubs-mips.cc b/src/mips/code-stubs-mips.cc
index 3e7b5bf..5719d2c 100644
--- a/src/mips/code-stubs-mips.cc
+++ b/src/mips/code-stubs-mips.cc
@@ -2754,7 +2754,6 @@
Register left = a1;
Register right = a0;
Register scratch1 = t3;
- Register scratch2 = t5;
// Perform combined smi check on both operands.
__ Or(scratch1, left, Operand(right));
@@ -3459,7 +3458,6 @@
Label no_update;
Label skip_cache;
- const Register heap_number_map = t2;
// Call C function to calculate the result and update the cache.
// Register a0 holds precalculated cache entry address; preserve
diff --git a/src/mips/full-codegen-mips.cc b/src/mips/full-codegen-mips.cc
index 657bee8..778d140 100644
--- a/src/mips/full-codegen-mips.cc
+++ b/src/mips/full-codegen-mips.cc
@@ -3646,7 +3646,6 @@
Register scratch1 = t3;
Register scratch2 = t5;
Register scratch3 = t4;
- Register scratch4 = v1;
// Separator operand is on the stack.
__ pop(separator);
diff --git a/src/mips/ic-mips.cc b/src/mips/ic-mips.cc
index 2c4da1a..32da2df 100644
--- a/src/mips/ic-mips.cc
+++ b/src/mips/ic-mips.cc
@@ -767,7 +767,7 @@
__ Branch(slow_case, lt, scratch2, Operand(FIRST_JS_RECEIVER_TYPE));
// Check that the key is a positive smi.
- __ And(scratch1, key, Operand(0x8000001));
+ __ And(scratch1, key, Operand(0x80000001));
__ Branch(slow_case, ne, scratch1, Operand(zero_reg));
// Load the elements into scratch1 and check its map.
diff --git a/src/mips/lithium-codegen-mips.cc b/src/mips/lithium-codegen-mips.cc
index 6628d8e..f21ed8f 100644
--- a/src/mips/lithium-codegen-mips.cc
+++ b/src/mips/lithium-codegen-mips.cc
@@ -2823,7 +2823,6 @@
void LCodeGen::DoGlobalObject(LGlobalObject* instr) {
- Register context = ToRegister(instr->context());
Register result = ToRegister(instr->result());
__ lw(result, ContextOperand(cp, Context::GLOBAL_INDEX));
}
@@ -3210,7 +3209,7 @@
// state[0] = 18273 * (state[0] & 0xFFFF) + (state[0] >> 16)
__ And(a3, a1, Operand(0xFFFF));
__ li(t0, Operand(18273));
- __ mul(a3, a3, t0);
+ __ Mul(a3, a3, t0);
__ srl(a1, a1, 16);
__ Addu(a1, a3, a1);
// Save state[0].
@@ -3219,7 +3218,7 @@
// state[1] = 36969 * (state[1] & 0xFFFF) + (state[1] >> 16)
__ And(a3, a0, Operand(0xFFFF));
__ li(t0, Operand(36969));
- __ mul(a3, a3, t0);
+ __ Mul(a3, a3, t0);
__ srl(a0, a0, 16),
__ Addu(a0, a3, a0);
// Save state[1].
@@ -4124,7 +4123,6 @@
Register scratch1 = scratch0();
Register scratch2 = ToRegister(instr->TempAt(0));
DoubleRegister double_input = ToDoubleRegister(instr->InputAt(0));
- DoubleRegister double_scratch = double_scratch0();
FPURegister single_scratch = double_scratch0().low();
if (instr->truncating()) {
diff --git a/src/mips/lithium-mips.cc b/src/mips/lithium-mips.cc
index 29cb3c6..32c8875 100644
--- a/src/mips/lithium-mips.cc
+++ b/src/mips/lithium-mips.cc
@@ -1460,7 +1460,6 @@
LInstruction* LChunkBuilder::DoCompareGeneric(HCompareGeneric* instr) {
- Representation r = instr->GetInputRepresentation();
ASSERT(instr->left()->representation().IsTagged());
ASSERT(instr->right()->representation().IsTagged());
LOperand* left = UseFixed(instr->left(), a1);
diff --git a/src/mips/stub-cache-mips.cc b/src/mips/stub-cache-mips.cc
index f1a8c89..54f55b3 100644
--- a/src/mips/stub-cache-mips.cc
+++ b/src/mips/stub-cache-mips.cc
@@ -1170,9 +1170,8 @@
__ JumpIfSmi(receiver, miss, scratch1);
// Check that the maps haven't changed.
- Register reg =
- CheckPrototypes(object, receiver, holder,
- scratch1, scratch2, scratch3, name, miss);
+ CheckPrototypes(object, receiver, holder,
+ scratch1, scratch2, scratch3, name, miss);
// Return the constant value.
__ LoadHeapObject(v0, value);
@@ -4230,7 +4229,6 @@
Register elements_reg = a3;
Register length_reg = t1;
Register scratch2 = t2;
- Register scratch3 = t3;
// This stub is meant to be tail-jumped to, the receiver must already
// have been verified by the caller to not be a smi.
diff --git a/src/platform-linux.cc b/src/platform-linux.cc
index 9ca2479..9781407 100644
--- a/src/platform-linux.cc
+++ b/src/platform-linux.cc
@@ -995,43 +995,22 @@
#elif !defined(__GLIBC__) && defined(__i386__)
// x86 version for Android.
-struct _libc_fpreg {
- uint16_t significand[4];
- uint16_t exponent;
+struct sigcontext {
+ uint32_t gregs[19];
+ void* fpregs;
+ uint32_t oldmask;
+ uint32_t cr2;
};
-struct _libc_fpstate {
- uint64_t cw;
- uint64_t sw;
- uint64_t tag;
- uint64_t ipoff;
- uint64_t cssel;
- uint64_t dataoff;
- uint64_t datasel;
- struct _libc_fpreg _st[8];
- uint64_t status;
-};
-
-typedef struct _libc_fpstate *fpregset_t;
-
-typedef struct mcontext {
- int32_t gregs[19];
- fpregset_t fpregs;
- int64_t oldmask;
- int64_t cr2;
-} mcontext_t;
-
-typedef uint64_t __sigset_t;
-
+typedef uint32_t __sigset_t;
+typedef struct sigcontext mcontext_t;
typedef struct ucontext {
- uint64_t uc_flags;
- struct ucontext *uc_link;
+ uint32_t uc_flags;
+ struct ucontext* uc_link;
stack_t uc_stack;
mcontext_t uc_mcontext;
__sigset_t uc_sigmask;
- struct _libc_fpstate __fpregs_mem;
} ucontext_t;
-
enum { REG_EBP = 6, REG_ESP = 7, REG_EIP = 14 };
#endif
diff --git a/src/version.cc b/src/version.cc
index d024048..fa5f4c7 100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 9
#define BUILD_NUMBER 24
-#define PATCH_LEVEL 21
+#define PATCH_LEVEL 24
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
diff --git a/test/mjsunit/regress/regress-crbug-126414.js b/test/mjsunit/regress/regress-crbug-126414.js
new file mode 100644
index 0000000..6674267
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-126414.js
@@ -0,0 +1,32 @@
+// Copyright 2012 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+function foo(bar) {
+ return arguments[bar];
+}
+foo(0); // Handled in runtime.
+foo(-536870912); // Triggers bug.